CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00757
- creditSnyk Research Team
Description
Enabling AWS WAF on API Gateways mitigates the risk of common web exploits that could affect application availability, compromise security, or consume excessive resources. Without WAF, API Gateways are more vulnerable to attacks such as SQL injection and cross-site scripting (XSS).
How to fix?
Set the resource_arn of aws_wafv2_web_acl_association to aws_api_gateway_stage.arn and web_acl_arn to aws_wafv2_web_acl.arn.
Example Configuration
resource "aws_api_gateway_stage" "valid_example" {
deployment_id = aws_api_gateway_deployment.valid_example.id
rest_api_id = aws_api_gateway_rest_api.valid_example.id
stage_name = "valid_example"
}
resource "aws_wafv2_web_acl" "valid_example" {
name = "web-acl-association-valid_example"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl_association" "valid_example" {
resource_arn = aws_api_gateway_stage.valid_example.arn
web_acl_arn = aws_wafv2_web_acl.valid_example.arn
}